Become a Fan

September 2009

2009.09.26

We will continue to look at the changes to the risk appetite that a company experiences along with growth. Part 1 started with a one-man operation that was home based as in the majority of cases. The business has experienced success and is now demanding the owner to make a bigger commitment.

The space at home is no longer enough and does not allow the owner to operate in a highly focussed environment so an office is needed. It may be the garden shed but most likely a rented dedicated space. The setting up of an office signifies the owner’s intention to create a professional atmosphere for his company.

With the increased workload additional staff would be necessary. The owner would now have a higher value attached to his time and although growth continues to be a major goal, there now has to be a system to support the customers who are already on board.

Apart from the hired staff there are operations that will be outsourced to outside businesses such as accounting and application development. The company might decide on using a hosting company to support its website or a payment handler to process purchases.

At this point a lot of information needed to run the company is being exposed to people other than the owner. The company’s staff and that of the outsourced services are privy to the business’ customers’ personal details.

At this stage of the business there will be a need to separate the views of the data held by the business both within the company and among external partnerships. Salaries, accounts, emails are a few examples.

Staff should have personal password protected accounts on machines. Personal email accounts for staff with the owner maintaining ultimate access rights. Data shipped to external parties should be encrypted. Stored data should be encrypted, given a time limit and safely discarded in the end.

It is never too early or too late to develop good information security habits. The earlier the good habits are started, the more mature a protective system becomes.

Mature protective systems avoid the need for constant fire fighting with respect to protecting data and achieving legislative compliance. As the company gets bigger there will be external audits to deal with on a regular basis. In the final part of this series I will look at how an information security system can work to protect data and maintain compliance continuously.